The UK Information Commissioner’s Office has published a draft “International Transfer Risk Assessment and Tool” and a draft “International Data Transfer Agreement” to replace the EU Standard Contractual Clauses for personal data transfers out of the UK. They now seek feedback from organisations affected by UK international personal data transfers.
The challenges around international transfers
There has been considerable uncertainty around international transfers of personal data since the European Court’s decision in Schrems II in July 2020 and Brexit at the end of 2020.
By way of reminder, in Schrems II the Court decided that although the EU Standard Contractual Clauses (EU SCCs) are a valid transfer tool, businesses must also risk assess the laws and practices of the data importer’s country to make sure they are consistent with GDPR standards. This has understandably caused businesses significant challenges.
We are now finally starting to get some certainty in this area.
On 29 June 2021, the European Commission granted an adequacy decision to the UK, which confirmed that the UK’s high standards of data protection were equivalent to those of the EU and allowed for the continuing free flow of personal data from the EU to the UK.
The ICO has now published a draft International Data Transfer Agreement (IDTA) and guidance which will, in their final form, protect personal data transferred from the UK to countries not covered by adequacy decisions and help ensure the transfer complies with the UK GDPR.
The IDTA is user-friendly and helpfully includes an addendum which can be used as a “bolt on” to the EU SCCs for businesses that are transferring both “EU data” and “UK data” internationally. This will be a relief for businesses as it allows them to use one set of clauses for their data transfers instead of having both the EU SCCs and the UK IDTA.
The ICO has also drafted its own form of data transfer risk assessment, which will be referred to as a Transfer Risk Assessment (TRA), to help businesses meet the requirements of Schrems II. Businesses will be required to carry out TRAs in advance of making any restricted transfers.
The ICO’s consultation is now open, seeking responses to the draft IDTA and draft TRA.
Businesses that transfer personal data from the UK to third countries should familiarise themselves with the draft IDTA, TRA and associated guidance.
Further, they are encouraged to participate in the consultation so they can positively influence the outcome of the consultation and the final versions of the IDTA and TRA.
A link to the consultation is here.
The consultation closes at 5pm on 7 October 2021.